Running a Subversion Server

Running a Subversion Server

This section will describe how to set up, administer and secure a Subversion server.

Subversion Server Dependencies

Required

Subversion-1.4.4 and OpenSSH-4.7p1

Setting up a Subversion Server.

The following instructions will install a Subversion server, which will be set up to use OpenSSH as the secure remote access method, with svnserve available for anonymous access.

Configuration of the Subversion server consists of the following steps:

1. Setup Users, Groups, and Permissions

You'll need to be user root for the initial portion of configuration. Create the svn user and group with the following commands:

groupadd -g 56 svn &&
useradd -c "SVN Owner" -d /home/svn -m -g svn -s /bin/false -u 56 svn

If you plan to have multiple repositories, you should have a group dedicated to each repository for ease of administration. Create the svntest group for the test repository and add the svn user to that group with the following commands:

groupadd -g 57 svntest &&
usermod -G svntest -a svn

Additionally you should set umask 002 while working with a repository so that all new files will be writable by owner and group. This is made mandatory by creating a wrapper script for svn and svnserve:

mv /usr/bin/svn /usr/bin/svn.orig &&
mv /usr/bin/svnserve /usr/bin/svnserve.orig &&
cat >> /usr/bin/svn << "EOF"
#!/bin/sh
umask 002
/usr/bin/svn.orig "$@"
EOF
cat >> /usr/bin/svnserve << "EOF"
#!/bin/sh
umask 002
/usr/bin/svnserve.orig "$@"
EOF
chmod 0755 /usr/bin/svn{,serve}
[Note]

Note

If you use Apache for working with the repository over HTTP, even for anonymous access, you should wrap /usr/sbin/httpd in a similar script.

2. Create a Subversion repository.

With subversion-1.1.0 and greater, a new type of repository data-store is available, FSFS. There is a tradeoff for speed with the new backend, however, the repository can now be placed on a network mount, and any corruption does not require an admin to recover the repository. For more information and comparison between FSFS and BDB, see http://svnbook.red-bean.com/svnbook-1.1/ch05.html#svn-ch-5-sect-1.2.A.

Create a new Subversion repository with the following commands:

install -v -m 0755 -d /srv &&
install -v -m 0755 -o svn -g svn -d /srv/svn/repositories &&
svnadmin create --fs-type fsfs /srv/svn/repositories/svntest

Now that the repository is created, it should be populated with with something useful. You'll need to have a predefined directory layout set up exactly as you want your repository to look. For example, here is a sample BLFS layout setup with a root of svntest/. You'll need to setup a directory tree similar to the following:

          svntest/            # The name of the repository
             trunk/           # Contains the existing source tree
                BOOK/
                bootscripts/
                edguide/
                patches/
                scripts/
             branches/        # Needed for additional branches
             tags/            # Needed for tagging release points

Once you've created your directory layout as shown above, you are ready to do the initial import:

svn import -m "Initial import." \
    </path/to/source/tree> \
    file:///srv/svn/repositories/svntest

Now change owner and group information on the repository, and add an unprivileged user to the svn and svntest groups:

chown -R svn:svntest /srv/svn/repositories/svntest &&
chmod -R g+w /srv/svn/repositories/svntest &&
chmod g+s /srv/svn/repositories/svntest/db &&
usermod -G svn,svntest -a <username>

svntest is the group assigned to the svntest repository. As mentioned earlier, this eases administration of multiple repositories when using OpenSSH for authentication. Going forward, you'll need to add your unprivileged user, and any additional users that you wish to have write access to the repository, to the svn and svntest groups.

In addition, you'll notice that the new repository's db directory is set-groupID. If the reasoning is not immediately obvious, when using any external authentication method (such as ssh), the sticky bit is set so that all new files will be owned by the user, but group of svntest. Anyone in the svntest group can create files, but still give the entire group write access to those files. This avoids locking out other users from the repository.

Now, return to an unprivileged user account, and take a look at the new repository using svnlook:

svnlook tree /srv/svn/repositories/svntest/
[Note]

Note

You may need to log out and back in again to refresh your group memberships. 'su <username>' should work as well.

3. Configure the Server

As mentioned previously, these instructions will configure the server to use only ssh for write access to the repository and to provide anonymous access using svnserve. There are several other ways to provide access to the repository. These additional configurations are best explained at http://svnbook.red-bean.com/.

Access configuration needs to be done for each repository. Create the svnserve.conf file for the svntest repository using the following commands:

cp /srv/svn/repositories/svntest/conf/svnserve.conf \
    /srv/svn/repositories/svntest/conf/svnserve.conf.default &&
cat > /srv/svn/repositories/svntest/conf/svnserve.conf << "EOF"
[general]
anon-access = read
auth-access = write
EOF

There is not a lot to the configuration file at all. You'll notice that only the general section is required. Take a look at the svnserve.conf.default file for information on using svnserve's built-in authentication method.

4. Starting the Server

There are a couple of ways to start svnserve. The most common way is to start it as an inetd or xinetd process. Alternately, you can use a bootscript to start the service at startup.

[Note]

Note

If you do not wish to provide anonymous access to your svn repositories or use svnserve's built-in authentication, you do not need to run svnserve.

If you use inetd, add a line to /etc/inetd.conf using the following commands:

cat >> /etc/inetd.conf << "EOF"
svn stream tcp nowait svn /usr/bin/svnserve svnserve -i
EOF

If you use xinetd, the following command will create the Subversion server file as /etc/xinetd.d/svn:

cat >> /etc/xinetd.d/svn << "EOF"
# Begin /etc/xinetd.d/svn

service svn
{
        port                    = 3690
        socket_type             = stream
        protocol                = tcp
        wait                    = no
        user                    = svn
        server                  = /usr/bin/svnserve
        server_args             = -i -r /srv/svn/repositories
}

# End /etc/xinetd.d/svn
EOF

Finally, if you wish to simply start the server at startup, install the svn bootscript included in the blfs-bootscripts-20080816 package.

make install-svn

Last updated on 2008-04-01 15:41:23 -0500